On Thu, May 15, 2008 at 11:05 AM, Ron Lemon <[EMAIL PROTECTED]> wrote: > I would like to take a reasonable machine and run some virtualization > software on it so that I can run both pfSense and a copy of a standard > workstation image so I can use it for remote testing. The workstation image > will not need to run that often but I need to make sure it is running in the > same type of environment as the rest of the internal workstations. > > Can I safely run pfSense and another OS in a virtualized environment without > compromising security?
The answer here greatly depends on your security standards. In this configuration, the biggest risk you have is that someone can directly compromise the host, thereby compromising your guests. At this time, I believe this is a theoretical attack vector, although I have certainly seen network driver level compromises in the past. So, while you aren't likely to be compromised from a script kiddie, I wouldn't want to put this in front of a skilled and dedicated attacker (you don't have any enemies do you? ;-P) > If so can you give me a basic idea of what I need. Do I need 3 physical > NICs in the machine 1 WAN, 1 LAN, 1 for the workstation image. I will > probably use VMWare Workstation 6.0 is there anything special I need to do > with it, etc. The best way you can set this up would be a 3 or 4 nic configuration (3 is probably good enough). Host: NIC 1 - Host OS management NIC 2 - bridged to pfSense (use as pfSense WAN) NIC 3 - bridged to pfSense (use as pfSense LAN) and bridge to workstation Make sure there is no IP protocols running on the host OS on NIC 2 and NIC 3 and that other than vmware, nothing is bound to those NICs in any way. Anything in promiscuous mode (say, tcpdump, snort, etc) running on the host is vulnerable to application level attacks that can compromise the host and bypass the firewall. FWIW...on the security risk front. Would I run this at work, no, no, and hell no...at home..I might take the risk given that I have a decent understanding of the attack vectors. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
